Security Stalemate

Microsoft is about as out of the security woods as Paul Bunyan. But it isn't for not trying. The company has spent the last 10 years obsessing over every line of code, working with law enforcement to hunt down cyber criminals, cooperating with enemies to build standards for interoperability, and writing Security Essentials -- a free (gasp!) anti-malware tool that's actually pretty good.

That's just the half of it. Microsoft has the Security Response team (which should be legendary) and Patch Tuesday (which is legendary and, quite frankly, puts Apple to shame).

All this, and Microsoft still has little more than a security stalemate. That's got to be frustrating for the fine folks in Redmond.

Some of the ongoing vulnerabilities are Microsoft's doing. Its software gets larger, which makes sense on the server but not so much on the client, where it presents a larger attack surface. And the churn creates constant new code to attack.

What Microsoft can't stop is the fact that new hackers are created every day, and many are script kiddies who take code written by those with a modicum of talent and simply tweak it and resend it -- oftentimes with success.

Criminals have found there's gold in them thar computers. Often residing overseas, thieves and rogue elements of bad governments are highly organized, and find there's no better target than the most common and best understood style of computing: Microsoft's style.

To make matters worse, authorities by and large aren't serious about hackers, don't have proper knowledge and tools, and have worse funding than Enron in its final hours.

I see Microsoft spending the next 10 years tightening security even further. With sandboxes and virtualization, we might see an exponential increase in protection. But unless governments also get serious about hunting cyber criminals and dishing out real penalties, while the war will rage on, we'll still have a stalemate.

The only game-changer could be the cloud. Google just sent me a Chromebook. This thing is all Web. I'm not sure what I think so far, but I do know there are no Windows DLLs, so there's no malware.

That could be the beauty of the cloud. Our clients are safe because they're dumb, and we don't care. Our servers are safer because we don't have as many. And the cloud should be safer because those who run it are 100 percent focused on securing the limited number of apps they control.